Luxembourg, 20260520 — The Computer Incident Response Center Luxembourg (CIRCL) announces that it is becoming a CVE Numbering Authority (CNA) within the global CVE™ (Common Vulnerabilities and Exposures) Program, under the ENISA CVE Root.
This new role strengthens CIRCL’s ability to support coordinated vulnerability disclosure in Luxembourg and across the European cybersecurity ecosystem. As a CNA, CIRCL will be able to assign CVE Identifiers (CVE IDs) and publish CVE Records for vulnerabilities falling within its scope, helping affected organisations, vendors, researchers and defenders rely on a common, globally recognised reference for publicly disclosed vulnerabilities.
The announcement comes at an important moment for Luxembourg’s cybersecurity framework. The Chamber of Deputies recently gave a positive first constitutional vote to draft law 8364, which transposes the NIS 2 Directive into national law and establishes a strengthened national framework for cybersecurity. The parliamentary dossier records the positive first constitutional vote on 28 April 2026, with a request for exemption from the second vote.
Under this framework, CIRCL is designated as the coordinator for coordinated vulnerability disclosure in Luxembourg. The parliamentary report describes CIRCL as a trusted intermediary facilitating interactions between vulnerability reporters and the manufacturers or providers of potentially vulnerable ICT products or services, including identifying and contacting affected entities, assisting reporters, negotiating disclosure timelines, and managing vulnerabilities affecting multiple entities.
“Becoming a CNA is a natural extension of CIRCL’s long-standing work in vulnerability coordination, incident response and open-source vulnerability intelligence,” said Alexandre Dulaunoy, Head of CIRCL. “It allows us to provide a clearer and faster path from responsible reporting to globally recognised vulnerability identifiers, while preserving the principles of coordinated disclosure, trust and proportionality.”
CIRCL’s public Coordinated Vulnerability Disclosure policy already defines a structured process for receiving vulnerability reports, acting as a trusted intermediary, assisting reporters, coordinating with affected entities, negotiating disclosure timelines, and contributing to the European Vulnerability Database (EUVD) managed by ENISA.
ENISA became a CVE Root in November 2025, becoming a central point of contact within the CVE Program for national and EU authorities, EU CSIRTs Network members and cooperative partners under ENISA’s mandate. ENISA’s Root role includes recruiting, onboarding, training and supporting CNAs within its scope and helping ensure that CVE Program guidelines and processes are followed.
By partenering the CVE Program under the ENISA Root, CIRCL reinforces the connection between Luxembourg’s national CVD process, the European vulnerability-management ecosystem, and the global CVE infrastructure. This will improve consistency, reduce ambiguity in vulnerability references, and support more timely sharing of actionable information with vendors, security teams and the wider community.
“Vulnerability disclosure is most effective when researchers, vendors, CSIRTs and public authorities can work through trusted and transparent processes,” said Cédric Bonhomme. “CIRCL’s role as a CNA will help turn coordinated disclosure into operationally useful information for those who need to assess, prioritise and remediate vulnerabilities.”
CIRCL will continue to operate its CVD reporting channel through Vulnerability-Lookup and to support reporters, affected entities and partners in accordance with its CVD policy. Vulnerabilities can be reported through CIRCL’s official disclosure platform at vulnerability.circl.lu.
About the CVE Program
The mission of the CVE™ Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
About CIRCL
The Computer Incident Response Center Luxembourg, CIRCL, is the CERT/CSIRT for the private sector, communes and non-governmental entities in Luxembourg. CIRCL supports incident response, threat intelligence sharing, vulnerability coordination and the development of open-source tools and services for the cybersecurity community.